Web Application Firewall (WAF)

The Serverius Next Generation Web Application Firewall protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The WAF supports all common WAF techniques like the OWASP core rule sets, many application based rule sets, a huge amount of commercial rules, known IP blacklists, source IP rate limiting, SSL encryption and much more.

High performance by clustered proxy

The WAF is based on a clustered reverse proxy with SSL termination included to offer extreme high performance filtering. By forwarding all data traffic and interacting with the user it’s server. Any IP subnet on the internet can be used, therefore it’s the also possible to use the WAF for websites which are hosted at AWS, Azure, Google or any other cloud service on the internet. The web proxy will hide the webserver its public IP by routing all traffic through different public servers and addresses. Therefore an attacker is unable to attack the webserver IP directly.

Free Let’s Encrypt SSL certificates

When adding your domains to the WAF, a free Let’s Encrypt SSL certificate is added by default. It will save you install and update SSL certificates at your hosting environment. This free SSL can be overruled by uploading your personal or commercial SSL certificate.

Application based rule sets

Users can enable many application specific rules, covering vulnerability classes for applications such as Microsoft SharePoint, WordPress, cPanel, osCommerce, Joomla, cPanel, Drupal, vBulletin and a few hundred more!

OWASP Core Rule Set support

The OWASP ModSecurity Top 10 Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The Serverius WAF support many common attack categories like including SQL Injection (SQLi), Cross Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), Remote Code Execution (RCE), PHP Code Injection.

Add your personal WAF rules

In some cases you need to create business specific security policies. Custom security rules let you create a personalized security policy in an optimal manner, giving you the flexibility to tighten security policies for your hosted web applications.

Request method filtering

This feature allows you to block and allow request types. If you for instance have a website on which you will never need a PUT request you can disable it altogether. It is also possible to use the whitelist mode so you will only allow specific request types.

Debugging pages for diagnosing issues of WAF rules

When adding your manual created rules the diagnostic tooling can be enabled. This will provide information about how the WAF will process your WAF rules. For example, you can see (and test) why your rule is not blocking your request.

Flood & request method control

The WAF allows you to white or blacklist all request methods like GET, POST, HEAD, DELETE, CONNECT, TRACE and set your Flood control request limit per source IP.

White label: using your own private IP subnets

The WAF can be used with Serverius IP space or Serverius name servers or your private IP space. This unique functionality allow ISP an cloud providers to use the Web Application Firewall and DDoS protection as a white label service.

Virtual patching integration

On top of the default OWASP 2017 core rules, the WAF provide more than 14,000 specific rules in attack categories like SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include, etc. We auto-apply the patch automatically, allowing you to update your applications on your schedule instead of being to late to with patching.

api

Full featured restful API

The WAF can be completely administered by the Serverius web interface and/or via a rest API. This provides organizations with the ability to create and maintain rules automatically and incorporate them into the development and design process. For example, a developer who has detailed knowledge of the web application could create a security rule as part of the deployment process. This capability to incorporate security into your development process avoids the need for complex hand offs between application and security teams to make sure rules are kept up to date. A full list of functionality can be found at https://api.serverius.net

Web application Firewall API